SB2017041322 - XML External Entity injection in libxml2 (Alpine package)
Published: April 13, 2017
Security Bulletin ID
SB2017041322
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) XML External Entity injection (CVE-ID: CVE-2016-9318)
The vulnerability allows a local non-authenticated attacker to execute arbitrary code.
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1647bdc21ffc22aacee5ea142d372445d1fd5b03
- https://git.alpinelinux.org/aports/commit/?id=5e57be93778177ca048236091d2814a4ad205903
- https://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d
- https://git.alpinelinux.org/aports/commit/?id=a6c278e2f3d21e7ffc9b25ad0cd3845c3caafcf9
- https://git.alpinelinux.org/aports/commit/?id=a49c9e6942d3d44160b5470c06957e99a8191d7f
- https://git.alpinelinux.org/aports/commit/?id=80f4efd8ae07abf0f36afd88e30f5a1ed1f94628
- https://git.alpinelinux.org/aports/commit/?id=0c50a730f9a2d7cb389bdb86401dbb42a8502113
- https://git.alpinelinux.org/aports/commit/?id=b85d4e331f098971cca12642a00f275b944423a0
- https://git.alpinelinux.org/aports/commit/?id=dd41adafc421b9fe26d4c9b306c4f55d5affbd19
- https://git.alpinelinux.org/aports/commit/?id=f5ccdd14bba6a609b51584103e7638c7b0b77150
- https://git.alpinelinux.org/aports/commit/?id=fdb449e8f1dfc399f13e43ffed6a4d1dddf24c43